Files locked by Gibon ransomware can be decrypted thanks to flaws in the malicious code

Gibon ransomware is a new crypto-malware variant which has been spreads via malspam[1] and corrupts files on a computer and appends a .encrypt file extension to their filenames. Consequently, it leaves a note in READ_ME_NOW.txt file and instructs the victim to contact fraudsters by writing to bomboms123@mail.ru or yourfood20@mail.ru.

No further information is provided to the victim, but it is clear that criminals have only one objective – extort the computer user by asking to pay a ransom for a data decryption solution.[2]

This file-encrypting ransomware was dubbed GIBON as it uses such name for user agent during the communication with Command & Control server (C2). Additionally, the name is used in virus’ admin’s panel, where it calls itself “Encryption machine “GIBON.”

According to the latest information, ransomware has also been promoted on various underground criminal forums as an easy way to get rich. A user who presents himself as AUS_8 has been presenting the virus as “Encryption Machine GIBON” since May 2017.[3] All ads that are used to push it re written in Russian, prompting the idea that the virus hails from Russia. The price that is asked for this example is $500.

Once installed on the target computer, the ransomware addresses its C2 server and register the new victim by sending several details about the compromised computer. The C2 server receives the following information (base64-encoded) about victim’s computer:

The timestamp;

Version of Windows OS;

“Register” string.

The server then responds with a base64-encoded string that contains the ransom note. This way, the author of the virus can customize the ransom note text without having to create a whole new ransomware executable and distribute it again.

Finally, the malicious virus generates an encryption key on victim’s computer, encodes it and transmits it to the Command & Control server. The server then responds with a ransom note again.

At this point, the malware is ready to start the encryption procedure. Gibon virus is set to encrypt all files except the ones stored in C:/Windows directory. The entire time of the encryption procedure, the virus keeps sending notifications to its C2 server to confirm that data encryption is in progress.

Finally, the virus completes the encoding procedure by dropping ransom notes into folders that contain some encrypted data. The full text provided in the ransom note is provided below.

Attention! All the files are encrypted! To restore the files, write to the mail: bomboms123@mail.ruIf you do not receive a response from this email within 24 hours, then write to the subsidiary: yourfood20@mail.ru

If your files were corrupted by this malicious virus, you must remove Gibon ransomware as soon as you can. The virus is new and dangerous, so we suggest deleting it with an anti-malware software like Reimage.

IMPORTANT. Good news to all victims of this new ransomware – files encrypted by this malware variant can be decrypted for free. Researchers have discovered a free decryption solution that helps to restore .encrypt extension files for free. Please complete Gibon removal before attempting to use data recovery instructions provided below this article.

The new ransomware is being pushed via malspam and criminal forums

Gibon virus is currently being pushed via malicious spam (also known as malspam), says our colleague from Novirus.uk[4]. It means that you can receive the virus in the form of a deceptive email attachment or a hyperlink added to a virtual message. Therefore, you should stay away from messages composed by strangers, even if they pretend to be someone you know.

Keep in mind that scammers often include official-looking company logos and other details to make their messages look legitimate. Unfortunately, they can also spoof the sender’s address and trick you into thinking that the email came from a trustworthy party.

We do not recommend you to interact with the content of suspicious emails, and better take actions to protect your computer system in advance. First of all, you should secure your PC with an anti-malware software, create a data backup and install the latest software updates. Finally, we recommend reading these tips on how to identify phishing emails containing malicious attachments.

Besides, the latest reports warned PC users that ransomware has also been sold on Russian criminal forums. Currently, the price for this example reaches $500, but there is no guarantee that it won't increase in the future. Unfortunately, this can also increase the risk of getting infected with this example.

Remove Gibon ransomware and decrypt files with .encrypt extensions

The decryption software for the described malware variant is already available, so make sure you remove Gibon virus properly before using it. You can restore all of your files for free, which happens very rarely. It is clear that authors of the virus still have space for improvement and it is very likely that they will do so shortly.

Take the chance and restore your files for free, but do not forget to take precautionary measures to prevent a similar virus from encrypting your files ever again. Gibon removal guide we provided below explains how to kill the virus safely. You will find the link to download the decryption software right below the removal instructions.

What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.

Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Gibon removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

When a new window shows up, click Next and select your restore point that is prior the infiltration of Gibon. After doing that, click Next.

Now click Yes to start system restore.

Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Gibon removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Gibon from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

At the moment, there is a free decryption tool that you can use to restore all files with .encrypt file extensions. If the ransomware gets updated in the future, the tool may no longer work. However, in such situation you can use data backups (you have to create them prior to a ransomware attack!).

If your files are encrypted by Gibon, you can use several methods to restore them: